Can I authenticate VPN clients using Active Directory username/passwd? 1

[skhoury]

Hello all,

Is it possible to have users login to our VPN using their Active Directory accounts and passwords, rather than using a group account/password on the PIX?

We have a PIX515E with 7.0 loaded on it and the Cisco VPN client version 4.6.

If anyone has any tips,experience with this, it will be much appreciated!

Thanks,

Sam

 

[chicocouk]

Yes it's possible. The following docco should get you up and running. You need to install Internet Authentication Service, which comes on the windows cd, to act as a RADIUS server between your firewall and Active Directory.

Pretty straightforward, and works well.

http://www.cisco.com/en/US/products...s_configuration_example09186a00800b6099.shtml

CCSP, CCNA, CCSA, MCSE, Cisco Firewall specialist, VPN specialist, IDS specialist

 

[skhoury]

chicocouk - Thanks for the Doc!

does it apply to PIX 7.0 however?

What I did was use the GUIs VPN Wizard to build out the remote access part of it.

For some wierd reason though, it isn't working. When I launch the client to try to connect, it just says the remote side isn't responding.

Below is my configuration, would you (or anyone) mind taking a look to see what I might be missing?

Also - we already have a site-to-site VPN configured and it is working just fine.

Below is the config:

PIX Version 7.0(2)
!
interface Ethernet0
nameif outside
security-level 0
ip address *.*.*.* 255.255.255.248
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet2
nameif PubDMZ
security-level 4
ip address 192.168.2.1 255.255.255.248
!
interface Ethernet3
shutdown
nameif DevDMZ
security-level 6
ip address 192.168.3.1 255.255.255.248
!
interface Ethernet4
shutdown
nameif intf4
security-level 8
no ip address
!
interface Ethernet5
shutdown
nameif intf5
security-level 10
no ip address
!
enable password *********************
passwd **************************
hostname bsc-pix
domain-name ********
boot system flash:/image
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
access-list from_outside_coming_in extended deny ip any any
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.4.0 255.255.255.0
access-list outside_cryptomap_20 extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list outside_cryptomap_dyn_20 extended permit ip any 192.168.4.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging monitor errors
logging buffered informational
logging trap informational
logging asdm informational
logging facility 23
logging host inside 192.168.1.31
mtu outside 1500
mtu inside 1500
mtu PubDMZ 1500
mtu DevDMZ 1500
mtu intf4 1500
mtu intf5 1500
ip local pool BS_VPN_POOL 192.168.4.50-192.168.4.150 mask 255.255.255.0
no failover
monitor-interface outside
monitor-interface inside
monitor-interface PubDMZ
monitor-interface DevDMZ
monitor-interface intf4
monitor-interface intf5
asdm image flash:/asdm-502.bin
asdm location 192.168.1.0 255.255.255.0 inside
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.1.0 255.255.255.0
access-group from_outside_coming_in in interface outside
route outside 0.0.0.0 0.0.0.0 *.*.*.* 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS host 192.168.1.30
timeout 5
key *********
aaa-server NT_AAA protocol nt
aaa-server NT_AAA host 192.168.1.30
nt-auth-domain-controller **************
group-policy BSVPN internal
group-policy BSVPN attributes
dns-server value 192.168.1.30 192.168.1.31
default-domain value ************
http server enable
http NET-ADMIN-PC1 255.255.255.255 inside
http NET-ADMIN-PC2 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer *.*.*.*
crypto map outside_map 20 set transform-set ESP-AES-128-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes
isakmp policy 10 hash sha
isakmp policy 10 group 5
isakmp policy 10 lifetime 86400
telnet NET-ADMIN-PC1 255.255.255.255 inside
telnet NET-ADMIN-PC2 255.255.255.255 inside
telnet timeout 5
ssh NET-ADMIN-PC1 255.255.255.255 inside
ssh NET-ADMIN-PC2 255.255.255.255 inside
ssh timeout 5
console timeout 5
tunnel-group *.*.*.* type ipsec-l2l
tunnel-group *.*.*.* ipsec-attributes
pre-shared-key *
tunnel-group BSVPN type ipsec-ra
tunnel-group BSVPN general-attributes
address-pool BS_VPN_POOL
authentication-server-group NT_AAA
default-group-policy BSVPN
tunnel-group BSVPN ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect http
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect pptp
policy-map inspection_default
!
service-policy global_policy global
ssl encryption des-sha1 rc4-md5 3des-sha1